Best approach to adding permissions to dynamic resources

Our application has the concept of Users and Clients. A User can be given permission to access a specific Client and do some, none, or all the operations on the Client. The Client is created manually by an Administrator who also grants a User permission to a Client. What is the best way to handle this in the Authorization Extension?

From browsing the tutorials, it seems the best approach is to use the Management API to create a Client specific permission once a Client is created in our app. For example, if I create Client A (with ID 1) in the app, we'll fire off a request to create Permissions for that Client ( client-a-1:read, client-a-1:edit, client-a-1:other-permission. The Administrator then grants the respective users the permission for that Client.